|| ||Samir Bellabes <sam-AT-synack.fr>|
|| ||[RFC] snet - Security for NETwork syscalls|
|| ||Mon, 19 Jan 2009 05:17:28 +0100|
|| ||Article, Thread
hi lsm users,
as the discussion thread "RFC: Socket MAC LSM" put a question on how to
build a simple personnal firewall, I pleased to introduce the snet tool.
As you may remember , I worked on the "network event connector"
(cn_net). The main idea is to capture events coming from userspace,
whenever a processus is doing some network syscall (sys_listen,
sys_bind, ..) and send usefull related informations to userspace to
decided if the syscall as to be accepted or denied.
As cn_net was a proof of concept, I moved to this new tool snet.
main improvements are :
* using the libnl, instead of connector.
* having a library in userspace, instead of a direct daemon.
snet is a kernel patch and a userspace library + sample tools
* kernel code is using LSM, and communicate with userspace with libnl.
* userspace code is build as a library, so it's easy to use it in you
own code, in order to intercept "event".
here are the output of the example program available with the userspace
* verdict_id=0xd syscall=CONNECT protocol=6 [tcp] family=2 uid=256
id=23886 [tcpconnect] 0.0.0.0:0->127.0.0.1:80
* verdict_id=0x4 syscall=LISTEN protocol=6 [tcp] family=2 uid=123
pid=5059 [tcplisten] 127.0.0.1:10000->0.0.0.0:0
This informations are available throught the library callback function.
As you can guess, at this point it's really easy to log this into
database or build a personnal firewall.
The great idea is that it's supporting all network protocols and all
network family easily, as we are at the socket level.
I assume everything is not perfect for a "true" code release.
But this is working well for me. And I choose to stop delaying release
and show some code as more people are trying to do the same thing.
you can download the userspace part here :
homepage is available here http://www.synack.fr/project/snet/
Samir Bellabes (6):
snet: initial commit
snet: filtering behaviour and default policy
snet: support for socket_create()
snet: fixing output format
snet: support verdict timeout
snet: make sequence number atomic
Kconfig | 1
Makefile | 2
snet/Kconfig | 12
snet/Makefile | 8
snet/include/snet.h | 21 +
snet/include/snet_hash.h | 18 +
snet/include/snet_hooks.h | 22 +
snet/include/snet_netlink.h | 207 ++++++++++++++
snet/include/snet_utils.h | 8
snet/include/snet_verdict.h | 27 +
snet/snet_core.c | 90 ++++++
snet/snet_hash.c | 247 +++++++++++++++++
snet/snet_hooks.c | 624 ++++++++++++++++++++++++++++++++++++++++++++
snet/snet_netlink.c | 624 ++++++++++++++++++++++++++++++++++++++++++++
snet/snet_utils.c | 14
snet/snet_verdict.c | 226 +++++++++++++++
16 files changed, 2151 insertions(+)
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to firstname.lastname@example.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
to post comments)